Hacker News new | past | comments | ask | show | jobs | submit login

Safari's content blockers are super easy to circumvent by anti-ad-blocking tech.

That many publishers don't do that already is a mystery, probably because visitors with ad-blocking are still a minority and publishers don't want to piss them off.

As a disclaimer I was in a team working on such technology. The hardest to beat is uBlock Origin, being the most capable from a technical perspective. And we left it completely alone, a good strategy for angry users having a last resort solution to migrate to instead of investigating why AdBlock Plus isn't working.

And also by not having a company behind it, a partnership with uBlock Origin for "acceptable ads" isn't possible. Which is why the whole industry, Google included, is scared of it and it's no wonder that they've taken steps to kill it in Chrome for desktop ;-)

> And also by not having a company behind it, a partnership with uBlock Origin for "acceptable ads" isn't possible.

I'm really glad you brought that up, because it's an interesting dynamic. Industries generally know how to deal with companies and senators. People like Gorhill though are hard to control using conventional strategies, because they're not getting any money out of it, they don't have supply chains or a duty to investors that you can exploit. They're just people doing stuff.

This can obviously be both a positive and a negative. But when people talk about competitive and regulatory forces, it's important to remember that some forces also come from outside of the system.

Adblocking is legal, but another good (less legal) example is Sci-hub. Sci-hub is just as large of an actor in the debate about academic publishing as any other official institution, but it refuses to be subject to the same rules as those institutions. If you're a traditional publisher, you can't reason with Sci-hub. None of the conventional strategies you would use on a competitor work for Sci-hub.

In general, if you're a business, you would prefer to only deal with other businesses and (to an extent) the government. Purely ideological actors, or people who don't pay attention to the conventional rules of engagement are much more annoying. You have to find some kind of leverage over those people so they can't cause as much trouble.

I don't doubt that part of the reason Google is locking down extensions is for security. I'm also sure that there are executives at Google who look at locked-down extension APIs and the inability to side-load extensions as a way of locking out people like Gorhill, and making sure the debate over acceptable ads is primarily restricted to industry players. For them, the fact that these policies improve some aspects of security is just a bonus.

Anyone else remember why it's called ublock origin?

Because that exact kind of supply-chain attack thing happened to the original version. (ublock)

There isn't anything stopping individuals from publishing Safari content blockers, though? No more than with the previous extension model.

Nor were individuals the only players to take advantage of the powers available to old extensions.

There are also legitimate security reasons why browsers such as Firefox have restricted side-loading add-ons on consumer operating systems such as Windows.

There's a debate to be had about whether security for most users is worth the trade-off in flexibility for power users. But regardless of any other reasons we might speculate, the arguments that have been presented in favor of such changes are already compelling enough on their own and need to be seriously addressed.

As I said, Safari's content blockers are restricted in what they can do and easy to circumvent.

That they work for now is only temporary.

There's also the elephant in the room:

1. Those content blockers don't work in webviews and most apps on iOS open urls in web views with no way to choose Safari

2. Apps have no ad blockers either

Gmail on iOS is especially annoying because we often have to open links that require sign-in (e.g. Github) and there's no way to make it open Safari, but it does have an option for opening "Chrome" (also a shell around an iOS webview).

But I love seeing people sticking it to the man :-)

> Gmail on iOS is especially annoying because we often have to open links that require sign-in (e.g. Github) and there's no way to make it open Safari, but it does have an option for opening "Chrome" (also a shell around an iOS webview).

This is false. GMail has settings for choosing chrome or safari - settings > default apps.

Fair point regarding mobile Safari, though there aren't many better options on iOS. Extensions have never been supported there.

I was mainly addressing the situation on desktop, such as Safari on macOS, since the previous comments were discussing changes to desktop browsers.

>Those content blockers don't work in webviews and most apps on iOS open urls in web views with no way to choose Safari

What's even the point of having a system-level solution if it doesn't work on system-level webviews?

Then you aren't the target for these browsers. I suggest you use one that does what you need. Safari does enough for the majority, tho I understand if "power users" need more "control".

Are you a Safari user? I'm trying to understand why you are so obsessive over this minor (to the majority of Safari users) "issue".

Regardless, we all deserve privacy and I suggest everyone use either an extension OR a content blocker. I don't care. Just stick it to those scum bags mining your data to send you "targeted" ads. That we can agree on!

edit: Cannot reply to bad_user for whatever reason. Regardless, I think we're both on the same page arguing about the same thing in different ways. Let's agree to disagree? <3 my man. Take it easy.

No, this isn't about control.

Safari's content blockers simply suck at what they do.

And yes, I'm an iPhone user.

I use the Firefox Focus blocker on iOS and while it’s not perfect, a few minutes with it disabled is sufficient to say that “simply suck” is grossly inaccurate. It’s a good compromise for something which normal users have a hard time evaluating — 90% of the benefits with zero risk of a security compromise.

See my edits, couldn't reply earlier. We agree in the end. :)

Are you in the anti anti ad block business for research or for the cash? I wish that folks would instead focus on building better business models vs circumventing privacy/malware protection.

Honest question - What are your personal feelings about working on tech that many (perhaps most), HN users consider harmful from a security and privacy standpoint?

I think ads provide a business model without which many online services won't survive.

And indeed there's the privacy angle, however... (1) laws like the GDPR are far more effective at fighting that and (2) ads don't have to actually do personalisation to work and indeed, now that GDPR is in, in the EU many publishers are turning to less intrusive advertising.

I also think many users block ads for reasons unrelated to privacy.

As proof, whenever a new restriction happens for a free service without ads, you only need to witness the outrage, like for example when Dropbox limited its free service to sync with only 3 devices, or when OneDrive lowered the storage provided on its free tier, etc. Also witness, for all the bitching and moaning about privacy issues, how many people here are still using a @gmail.com address.

Truth of the matter is many people want to eat their cake and have it too. Most people just wants free stuff without any inconvenience. and it's hard to take them seriously.

Don't get me wrong, I'm using an ad-blocker myself. However I'm also paying for the content I'm consuming whenever I can, if it has any value to me. I happily pay for YouTube Premium for example, also for Fastmail, Dropbox, Newsblur and others.

So how do I feel? I'm feeling fine to be honest.

If you need to ask other people's advice, then it's probably not ok, because you're already questioning it yourself. The problem is that there's a part of your psychology that wants to ignore any 'moral' issues for some reason. Money and self-status are the two most common reasons I can think of that makes us want to go ahead with a project that others would prefer be left alone.

Specifically, you used the word "harm" which implies that you understand that your actions can actually harm others. I'd give that a solid - "don't do it". Love thy neighbor, brother.

Is "acceptable ads" really such a bad idea, assuming some reasonable criteria (not "pay us") for acceptableness?

If you think back to the early days, ads were often just static images. If we could go back to that, I don't see much of a problem with them, other than being ugly. Ads would be acceptable to me if they just got rid of

1) scripts,

2) user profiling,

3) sound,

4) animation.

Kind of like newspaper ads. They don't have to assault you and find out where you live to be effective.

I think a standard <ad> web component built into browsers is a good idea. This gives the user back control, and allows optimisation directly in the browser with C++ - also allows us to say: load only X ads with Y performance constraints and no more than Z bandwidth before they get dropped.

Yes, it does ultimately make it easier to block ads, but

1) Users who want to do that are always going to, and I'll always stay on the side of freedom for the user. We might as well ditch ad blockers and their performance issues if we can.

2) We have a standard way for publications to respectfully say no to serving content to blocking users rather than the JavaScript, anti-ad-blocker monstrosities we've got today - I respect the freedom of companies too, and they're always going to try and do this - likewise, we might as well ditch the awful performance/battery issues with this.

3) Performance and privacy can be kept in the hands of the user. This also means GDPR consent and a whole host of other stuff can be handled directly by the browser too. Asking the user to allow ads can be built right in and privacy is preserved if they say no which is better than all the consent dialogs we've got today.

Would be interested in everyone's thoughts on this. My approach probably will result in it being more difficult to ask content, but it preserves privacy and performance to the extent the user is willing.

I'm not sure about how reliable the source is but there could be 47% of visitors that use some kind of ad blocker (https://www.forbes.com/sites/tjmccue/2019/03/19/47-percent-o...). Technically a minority but not something to gloss over.

Do your colleagues curse the name of Gorhill and have a dartboard with his face and μblock Origin's logo on it?

Does everyone know Safari's developer menu, if enabled, lets you turn JS on or off in the menu? I find this very helpful browsing news websites. It's not as good as eg noscript in Firefox but it's not inconvenient either.

Ha, no :-)

And I'm also no longer on that team.

And random ad blocking programs that use the traditional ad blocking frameworks can easily record, intercept, and track everything you do.

Any site that goes through trouble of blocking ad blockers I just avoid.

Can you elaborate on what special tech make uBlock hard to beat ?

uBlock Origin replaces some third-party scripts with empty (noop) functions or otherwise sterilized APIs.


Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact